nullocks, Did you ever get this to work? I'm having the same problem. "match_key" will work fine, but if I make it "match_key_value" and use check_value, I get nothin'.
On Wednesday, October 27, 2010 9:22:48 AM UTC-4, nullocks wrote: > > Is anyone currently using the address_match_key_value CDB lookup? I am > trying to use the following: > > <rule id="110102" level="6"> > <if_sid>110100</if_sid> > <list field="srcip" lookup="address_match_key_value" > check_value="^sslvpn">lists/bcexclusions</list> > <description>Host in SSLVPN subnet is bypassing WebProxy</description> > </rule> > > In the list, I have: > 10.17.1.:sslvpn > > And the log decodes: > decoder: 'pix' > id: '6-106100' > action: 'permitted' > proto: 'tcp' > srcip: '10.17.1.12' > srcport: '2175' > dstip: '66.235.138.59' > dstport: '80' > > So given all that, the lookup should run and generate an alert since > the srcip from the log is in the list with a value of sslvpn. Or am I > missing something? > > > Brooks Garrett > E: [email protected] > P: 912.225.4097 > K: 0x13FC3821 (keyserver.ubuntu.com) > >
